Full Report
Customers' info potentially handed to anyone who could send an HTTP request
Analysis Summary
# Vulnerability: Trump Mobile Unauthenticated API Data Leak
## CVE Details
- **CVE ID:** Not yet assigned (Disclosed via third-party report)
- **CVSS Score:** Estimated 7.5 (High) - *Calculated based on unauthorized access to PII*
- **CWE:** CWE-284: Improper Access Control / CWE-306: Unauthenticated Access to Critical Function
## Affected Systems
- **Products:** Trump Mobile official e-commerce/customer website.
- **Versions:** Production environment active as of May 2026.
- **Configurations:** Web-based API endpoints used for order tracking and customer management.
## Vulnerability Description
The Trump Mobile website utilized insecure API endpoints that failed to implement proper authentication or authorization checks. A technical analysis revealed that sending a standard HTTP POST request to specific endpoints allowed any user to query customer records. Although the API initially restricted output to ten records per request, the records included sequential customer/account numbers. This allowed an attacker to utilize an automated loop script to iterate through the database and systematically exfiltrate the Personal Identifiable Information (PII) of the entire customer base.
## Exploitation
- **Status:** PoC available (demonstrated by independent researcher); reported fix implemented.
- **Complexity:** Low (Requires only basic knowledge of HTTP methods and browser consoles).
- **Attack Vector:** Network (Remote via Internet).
## Impact
- **Confidentiality:** High (Leakage of PII including names, addresses, emails, and phone numbers).
- **Integrity:** None (Read-only access reported).
- **Availability:** None.
## Remediation
### Patches
- **Vendor Action:** As of the report date, the vulnerability appears to have been patched silently by the vendor’s web team. The API endpoints no longer return PII to unauthenticated requests.
### Workarounds
- **User Side:** Affected customers should monitor for targeted phishing, SMSishing (text scams), and potential physical mail scams using the leaked address data.
- **Administrator Side:** Implement strict OAuth or JWT-based authentication for all API endpoints returning sensitive data and apply rate-limiting to prevent "looping" or scraping attacks.
## Detection
- **Indicators of Compromise:** High volumes of POST requests from a single IP address targeting API endpoints, specifically those iterating through customer IDs or enrollment IDs.
- **Detection Methods:** Review web server access logs for unusual patterns of HTTP POST requests targeting backend API paths (e.g., `/api/[endpoint]`).
## References
- **The Register:** hxxps://www[.]theregister[.]com/2026/05/22/trump_mobile_data_leak/
- **Coffeezilla (Video Report):** hxxps://www[.]youtube[.]com/watch?v=voxXDDq58Bk
- **penguinz0 (Video Report):** hxxps://www[.]youtube[.]com/watch?v=c8TwGH1B5wA